3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
12 namespace Civi\API\Subscriber
;
15 use CRM_Core_DAO_AllCoreTables
as AllCoreTables
;
16 use Symfony\Component\EventDispatcher\EventSubscriberInterface
;
19 * Given an entity which dynamically attaches itself to another entity,
20 * determine if one has permission to the other entity.
22 * Example: Suppose one tries to manipulate a File which is attached to a
23 * Mailing. DynamicFKAuthorization will enforce permissions on the File by
24 * imitating the permissions of the Mailing.
26 * Note: This enforces a constraint: all matching API calls must define
27 * "id" (e.g. for the file) or "entity_table+entity_id" or
28 * "field_name+entity_id".
30 * Note: The permission guard does not exactly authorize the request, but it
31 * may veto authorization.
33 class DynamicFKAuthorization
implements EventSubscriberInterface
{
38 public static function getSubscribedEvents() {
40 'civi.api.authorize' => [
41 ['onApiAuthorize', Events
::W_EARLY
],
47 * @var \Civi\API\Kernel
49 * Treat as private. Marked public due to PHP 5.3-compatibility issues.
54 * The entity for which we want to manage permissions.
58 protected $entityName;
61 * The actions for which we want to manage permissions
68 * SQL SELECT query - Given a file ID, determine the entity+table it's attached to.
70 * ex: "SELECT if(cf.id,1,0) as is_valid, cef.entity_table, cef.entity_id
71 * FROM civicrm_file cf
72 * INNER JOIN civicrm_entity_file cef ON cf.id = cef.file_id
75 * Note: %1 is a parameter
76 * Note: There are three parameters
77 * - is_valid: "1" if %1 identifies an actual record; otherwise "0"
78 * - entity_table: NULL or the name of a related table
79 * - entity_id: NULL or the ID of a row in the related table
83 protected $lookupDelegateSql;
86 * SQL SELECT query. Get a list of (field_name, table_name, extends) tuples.
88 * For example, one tuple might be ("custom_123", "civicrm_value_mygroup_4",
93 protected $lookupCustomFieldSql;
98 * Each item is an array(field_name => $, table_name => $, extends => $)
100 protected $lookupCustomFieldCache;
103 * List of related tables for which FKs are allowed.
107 protected $allowedDelegates;
110 * @param \Civi\API\Kernel $kernel
112 * @param string $entityName
113 * The entity for which we want to manage permissions (e.g. "File" or
115 * @param array $actions
116 * The actions for which we want to manage permissions (e.g. "create",
118 * @param string $lookupDelegateSql
119 * See docblock in DynamicFKAuthorization::$lookupDelegateSql.
120 * @param string $lookupCustomFieldSql
121 * See docblock in DynamicFKAuthorization::$lookupCustomFieldSql.
122 * @param array|NULL $allowedDelegates
123 * e.g. "civicrm_mailing","civicrm_activity"; NULL to allow any.
125 public function __construct($kernel, $entityName, $actions, $lookupDelegateSql, $lookupCustomFieldSql, $allowedDelegates = NULL) {
126 $this->kernel
= $kernel;
127 $this->entityName
= AllCoreTables
::convertEntityNameToCamel($entityName, TRUE);
128 $this->actions
= $actions;
129 $this->lookupDelegateSql
= $lookupDelegateSql;
130 $this->lookupCustomFieldSql
= $lookupCustomFieldSql;
131 $this->allowedDelegates
= $allowedDelegates;
135 * @param \Civi\API\Event\AuthorizeEvent $event
136 * API authorization event.
137 * @throws \API_Exception
138 * @throws \Civi\API\Exception\UnauthorizedException
140 public function onApiAuthorize(\Civi\API\Event\AuthorizeEvent
$event) {
141 $apiRequest = $event->getApiRequest();
142 if ($apiRequest['version'] == 3 && AllCoreTables
::convertEntityNameToCamel($apiRequest['entity'], TRUE) == $this->entityName
&& in_array(strtolower($apiRequest['action']), $this->actions
)) {
143 if (isset($apiRequest['params']['field_name'])) {
144 $fldIdx = \CRM_Utils_Array
::index(['field_name'], $this->getCustomFields());
145 if (empty($fldIdx[$apiRequest['params']['field_name']])) {
146 throw new \
Exception("Failed to map custom field to entity table");
148 $apiRequest['params']['entity_table'] = $fldIdx[$apiRequest['params']['field_name']]['entity_table'];
149 unset($apiRequest['params']['field_name']);
153 empty($apiRequest['params']['id']) && empty($apiRequest['params']['entity_table'])
155 throw new \
API_Exception("Mandatory key(s) missing from params array: 'id' or 'entity_table'");
158 if (isset($apiRequest['params']['id'])) {
159 list($isValidId, $entityTable, $entityId) = $this->getDelegate($apiRequest['params']['id']);
160 if ($isValidId && $entityTable && $entityId) {
161 $this->authorizeDelegate($apiRequest['action'], $entityTable, $entityId, $apiRequest);
162 $this->preventReassignment($apiRequest['params']['id'], $entityTable, $entityId, $apiRequest);
165 elseif ($isValidId) {
166 throw new \
API_Exception("Failed to match record to related entity");
168 elseif (!$isValidId && strtolower($apiRequest['action']) == 'get') {
169 // The matches will be an empty set; doesn't make a difference if we
171 // To pass SyntaxConformanceTest, we won't veto "get" on empty-set.
176 if (isset($apiRequest['params']['entity_table'])) {
177 if (!\CRM_Core_DAO_AllCoreTables
::isCoreTable($apiRequest['params']['entity_table'])) {
178 throw new \
API_Exception("Unrecognized target entity table {$apiRequest['params']['entity_table']}");
180 $this->authorizeDelegate(
181 $apiRequest['action'],
182 $apiRequest['params']['entity_table'],
183 \CRM_Utils_Array
::value('entity_id', $apiRequest['params'], NULL),
189 throw new \
API_Exception("Failed to run permission check");
194 * @param string $action
195 * The API action (e.g. "create").
196 * @param string $entityTable
197 * The target entity table (e.g. "civicrm_mailing").
198 * @param int|null $entityId
199 * The target entity ID.
200 * @param array $apiRequest
201 * The full API request.
203 * @throws \API_Exception
204 * @throws \Civi\API\Exception\UnauthorizedException
206 public function authorizeDelegate($action, $entityTable, $entityId, $apiRequest) {
207 if ($this->isTrusted($apiRequest)) {
211 $entity = $this->getDelegatedEntityName($entityTable);
213 throw new \
API_Exception("Failed to run permission check: Unrecognized target entity table ($entityTable)");
216 throw new \Civi\API\Exception\
UnauthorizedException("Authorization failed on ($entity): Missing entity_id");
220 * @var \Exception $exception
224 \CRM_Core_Transaction
::create(TRUE)->run(function($tx) use ($entity, $action, $entityId, &$exception, $self) {
230 'check_permissions' => 1,
234 $result = $self->kernel
->runSafe($entity, $self->getDelegatedAction($action), $params);
235 if ($result['is_error'] ||
empty($result['values'])) {
236 $exception = new \Civi\API\Exception\
UnauthorizedException("Authorization failed on ($entity,$entityId)", [
248 * If the request attempts to change the entity_table/entity_id of an
249 * existing record, then generate an error.
252 * The main record being changed.
253 * @param string $entityTable
255 * @param int $entityId
257 * @param array $apiRequest
258 * The full API request.
259 * @throws \API_Exception
261 public function preventReassignment($fileId, $entityTable, $entityId, $apiRequest) {
262 if (strtolower($apiRequest['action']) == 'create' && $fileId && !$this->isTrusted($apiRequest)) {
263 // TODO: no change in field_name?
264 if (isset($apiRequest['params']['entity_table']) && $entityTable != $apiRequest['params']['entity_table']) {
265 throw new \
API_Exception("Cannot modify entity_table");
267 if (isset($apiRequest['params']['entity_id']) && $entityId != $apiRequest['params']['entity_id']) {
268 throw new \
API_Exception("Cannot modify entity_id");
274 * @param string $entityTable
275 * The target entity table (e.g. "civicrm_mailing" or "civicrm_activity").
276 * @return string|NULL
277 * The target entity name (e.g. "Mailing" or "Activity").
279 public function getDelegatedEntityName($entityTable) {
280 if ($this->allowedDelegates
=== NULL ||
in_array($entityTable, $this->allowedDelegates
)) {
281 $className = \CRM_Core_DAO_AllCoreTables
::getClassForTable($entityTable);
283 $entityName = \CRM_Core_DAO_AllCoreTables
::getBriefName($className);
293 * @param string $action
294 * API action name -- e.g. "create" ("When running *create* on a file...").
296 * e.g. "create" ("Check for *create* permission on the mailing to which
299 public function getDelegatedAction($action) {
302 // reading attachments requires reading the other entity
307 // creating/updating/deleting an attachment requires editing
320 * (0 => bool $isValid, 1 => string $entityTable, 2 => int $entityId)
323 public function getDelegate($id) {
324 $query = \CRM_Core_DAO
::executeQuery($this->lookupDelegateSql
, [
325 1 => [$id, 'Positive'],
327 if ($query->fetch()) {
328 if (!preg_match('/^civicrm_value_/', $query->entity_table
)) {
329 // A normal attachment directly on its entity.
330 return [$query->is_valid
, $query->entity_table
, $query->entity_id
];
333 // Ex: Translate custom-field table ("civicrm_value_foo_4") to
334 // entity table ("civicrm_activity").
335 $tblIdx = \CRM_Utils_Array
::index(['table_name'], $this->getCustomFields());
336 if (isset($tblIdx[$query->entity_table
])) {
337 return [$query->is_valid
, $tblIdx[$query->entity_table
]['entity_table'], $query->entity_id
];
339 throw new \
Exception('Failed to lookup entity table for custom field.');
342 return [FALSE, NULL, NULL];
347 * @param array $apiRequest
348 * The full API request.
351 public function isTrusted($apiRequest) {
352 // isn't this redundant?
353 return empty($apiRequest['params']['check_permissions']) or $apiRequest['params']['check_permissions'] == FALSE;
358 * Each item has keys 'field_name', 'table_name', 'extends', 'entity_table'
360 public function getCustomFields() {
361 $query = \CRM_Core_DAO
::executeQuery($this->lookupCustomFieldSql
);
363 while ($query->fetch()) {
365 'field_name' => $query->field_name
,
366 'table_name' => $query->table_name
,
367 'extends' => $query->extends,
368 'entity_table' => \CRM_Core_BAO_CustomGroup
::getTableNameByEntityName($query->extends),